Miggo Logo

CVE-2020-26302: is_js vulnerable to Regular Expression Denial of Service

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.39104%
Published
7/6/2023
Updated
7/6/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
is_jsnpm<= 0.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly states the URL validation regex is the root cause, and the PoC demonstrates exploitation via the is.url() method. The advisory links confirm this is the primary affected functionality with no patched version available. The function name and attack vector are directly specified in both GHSA and CVE descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

is.js is * **n*r*l-purpos* ****k li*r*ry. V*rsions *.*.* *n* prior *ont*in on* or mor* r**ul*r *xpr*ssions t**t *r* vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS). is.js us*s * r***x *opy-p*st** *rom * *ist to v*li**t* URLs. Tryin* to v*l

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly st*t*s t** URL v*li**tion r***x is t** root **us*, *n* t** Po* **monstr*t*s *xploit*tion vi* t** `is.url()` m*t*o*. T** **visory links *on*irm t*is is t** prim*ry *****t** *un*tion*lity wit* no p*t**** v*rsi